"We don’t want to be whistle-blowers - we want to fix stuff, not embarrass people." Before ‘SenseNets’, before ‘Breed Ready’, ethical hacker Victor Gevers and his GDI.Foundation made headlines for the scale of online breaches they had identified: the non-profit organization keeps track of 33 million vulnerabilities and in 2018 they tracked down the owners of more than 600,000.

"Most of these systems are completely open," Victor told me, "so we don’t need to break the law. We find out the owner of the database and we inform them. Compare us to volunteer firefighters. If we see smoke coming out of a house there is a possible fire. We ensure the fire goes out."

But now Victor is making headlines for different reasons. In February came the SenseNets data breach, shining a light on the dystopian facial recognition tracking of Xinjiang Muslims. The cache left open by the Shenzhen-based facial recognition company exposed data relating to the real-time movement of Xinjiang Muslims. A database of more than 2.5 million records: names and addresses; ID card numbers; dates of birth; passport photographs; employer details; and, most alarmingly, 6.5 million records relating to the GPS locations passed by those individuals in the prior 24 hours.

"Since SenseNets," Victor explained to me, "we have found there are two sides to the coin. We always report the system to the owner, but if we find stuff that is not good or has questionable ethics then we’re experimenting to see if we can share that on social media."

And that’s exactly what they have done. Earlier this month Victor and his team also exposed a cache of personal profiles and chat logs from Chinese web cafes, then last weekend they exposed a publicly accessible database that included the 'breed ready' status of 1.8 million Chinese women.

Reflecting, Victor can see that SenseNets changed everything. "We reported the system. We found it very remarkable, not knowing exactly what the use was. I posted a tweet, saying this is the system we found, it's mass surveillance, it's bad, it's out there. Then after a while, some journalists asked if we ever checked the GPS locations in the database because this could be a very bad thing."

The ethical hacker’s dilemma

This is where Victor's personal dilemma comes into play - he didn't set out to be political. "Your house is on fire," he explains. "We come as volunteers. We come to stop the fire. But before we walk out, we see a document on the floor saying 'confidential', and an indication that something is wrong. We take that information and we show it to everyone. That’s the thing we are worried about. We are not breaking and entering, because these databases are open. But, still, I can imagine that organizations don’t like us to be taking a look in there and that we address this publicly."

The SenseNets data cache included location descriptions such as 'mosque' and illustrated the extent of the surveillance state deployed in Xinjiang, a laboratory for China's surveillance technology. "We took a [statistically small] sample of records," Victor explains. "We used Google Translate. We looked up GPS locations. And it all pointed to the same province. So, I reached out to the journalist and I asked, 'can you help me with this'. And the journalist verified the information and said this is bad, this can’t stay covered, you need to list this publicly. So that's how the ball started rolling."

And then, in the last two weeks, Victor broke the news of another Chinese breach, this one containing hundreds of millions of social media profiles and chat logs from web cafes, from apps like WeChat and QQ, again detailing personal information such as citizen ID numbers, addresses and GPS locations. Even more recently was the 'breed ready' data breach exposed last weekend, just after International Women's Day.

“In China, they have a shortage of women," Victor tweeted at the time. “So, an organization started to build a database to start registering over 1.8 million women with all kinds of details like phone numbers, addresses, education, location, ID number, marital status, and a 'BreedReady' status. The youngest girl in this database is 15y," Gevers pointed out. "The youngest woman with BreedReady: ‘1’ status is 18y. The average age is a bit above 32y, and the most aged woman with a BR:1 is 39 and with a BR:0 is 95y. All are single [89%], divorced [10%] or widow [1%]. About 82% lives in 北京市[Beijing]."

There followed a social media debate as to whether this breach came from a dating site or something more onerous and governmental. "In the last month,” Victor explained, “we’ve been experimenting in asking for help on social media, to ask what's the best way to approach it."

All roads lead to China?

One can’t avoid being drawn into the raging debate about China's surveillance state when looking at the recent breaches exposed by Victor. "In the last month, we have found a lot of databases that show the implementation of mass surveillance,” he told me, “using extensive technology that is purely designed for monitoring … based on smart cities … [including] the mobile data of users, who’s talking to who and who’s going where."

Given the clear sensitivities, he has taken personal responsibility for vetting what traces back to China. “China is my responsibility. I want to make sure it's reported in the correct way and if there's something more to it other sources get a chance to take a look at it.” It isn’t only China, of course, and Victor emphasizes that: "These data leaks don’t lead to just one country, we find them everywhere. Only the most controversial we share on Twitter, mostly China, but also the U.S. and telecom providers in Europe."

But, in reality, there’s nothing quite like the data coming out of China. And it’s the headlines linking Victor to China that have impacted his core mission. "Because of all the media attention, China doesn’t like us very much anymore. At some point, as a non-profit organization bringing free help we say - if you don’t want it fine, it's your problem."

Victor is neither political nor a specialist on China or its surveillance state. "I am not an expert in that field,” he emphasized to me. “This is why we share this stuff because it needs proper addressing by people who do know about this kind of things.”

One of the people Victor has publicly debated is Otto Kolbl, a Ph.D. candidate from the University of Lausanne who was married to a Chinese citizen and has lived, worked and researched there. Otto is vocal in his criticism of the headline conclusions that have been drawn from the data breaches exposed by Victor and his team.

“Victor Gevers found himself in a situation where he thought that he had found the ultimate proof of the dehumanizing nature of the Chinese regime,” Otto told me, referring specifically to the ‘breed ready’ exposure. “This did not allow him to see other possible interpretations. The problem is not specific to Victor Gevers: it is a universal problem in media, academia and civil society that people who have reached their own conclusion on something (in general in accordance with their own preferred narrative) are not willing to question it.”

Victor acknowledges much of this. "This is the ethical dilemma,” he told me. “You see a mass surveillance system being open, where the metadata can be accessed by anyone, can be manipulated by anyone. So, our first instinct is to warn the owner of the system. But after we have reported the system it is important to understand who owns it and what is it meant for. And this is really out of scope for us. Sometimes it's better to take a look at what you’re dealing with, even if that's not in your comfort zone. We didn’t start doing this volunteer work to dig into things we don’t like. On the other hand, that's exactly what happened. That's the ethical conflict."

What next?

The headlines we have seen this year have been amplified because live tracking through facial recognition is seen in the West as particularly dystopian, generating its own backlash. And the ‘breed ready’ data breach was inherently headline-ready.

“Our dilemma,” Victor admitted, “is that this almost goes against our mission statement and it is conflicting with our 'neutrality', which was a big step for us because everything that we have done, we are doing now and are going to do in the near future will have consequences one way or another."

Victor also told me that he is asking why so much of this data is turning up at this particular time, why so many systems appear to be going online publicly. "Is it because people know we are looking for them? Are people reaching out for help?" he asked. "Doing nothing is not an option but doing it so publicly maybe doesn’t help. I got a lot of responses from Chinese people saying this is great, thank you for your revelations, but this is not the idea, the idea is not to fuel the discussion about the kind of politics are going on in that country. That's not our mission. But that might be how people are understanding that."

And so back to that core dilemma.

“It sounds cryptic, but we are figuring out if our approach is the best way to address these issues. As a young guy, I read comics. And there was a quote, 'with great power comes great responsibility. This does not require great powers, but if you have access to knowledge and you don’t act on it, that can be considered unethical. This is to the part where two worlds collide for us. Yes, it's good to show the world the things we have found, but that doesn’t help us to operate freely.”